Remote access tool hacked by criminals to access healthcare providers

Attack hijacking ScreenConnect is still ongoing, the researchers warn

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers are set to escalate attacks against multiple healthcare organizations in the United States by utilizing hacked access to an instance of ScreenConnect, a popularremote desktop tool, belonging to Transaction Data Systems (TDS).

TDS is a pharmacy supply chain and management systems solution provider with offices in all 50 states in the US. At this point, the researchers, from managed security platformHuntress, don’t know exactly how the attackers accessed the instance. They do know that they used this access to dropmalwareto endpoints belonging to two distinct organizations: one in the pharmaceutical sector and the other in healthcare.

The only thing they have in common, the researchers stressed, is the ScreenConnect instance, as both endpoints are a Windows Server 2019 system.

Reader Offer: $50 Amazon gift card with demoPerimeter 81’s Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?)

In anticipation of malware

“The threat actor proceeded to take several steps, including installing additional remote access tools such as ScreenConnect or AnyDesk instances, to ensure persistent access to the environments,” the researchers said in their report.

Between October 28 and November 8 2023, the attackers were observed dropping a payload titled text.xml to both endpoints. The file carried a C# code that loads the Meterpreter malware via the Metasploit dropper. The researchers also spotted additional processes launched via the Printer Spooler service, as well as an attempt to create new user accounts.

At press time, the researchers couldn’t yet determine if the hackers exploited a hole (or a zero-day) to access TDS’s systems, or if they somehow obtained valid login credentials. The attacks are likely still ongoing, the researchers concluded, adding that they tried to reach out to the company on multiple occasions, to no avail. Last summer, following a merger, TDS became Outcomes One.

There was nothing on the company’s blog, newsroom, LinkedIn, and X accounts, but we will update the article if the company shares new information on time.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)